From 0787a93372f5c44880182ac68f9e8f81ba339473 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 26 Mar 2018 11:11:31 -0700 Subject: [PATCH 01/10] Workdir command and unit tests --- .../dockerfiles/Dockerfile_test_workdir | 10 +++ .../dockerfiles/config_test_workdir.json | 12 +++ integration_tests/integration_test_yaml.go | 71 +++++++++-------- pkg/commands/commands.go | 2 + pkg/commands/run.go | 1 + pkg/commands/workdir.go | 64 +++++++++++++++ pkg/commands/workdir_test.go | 79 +++++++++++++++++++ 7 files changed, 207 insertions(+), 32 deletions(-) create mode 100644 integration_tests/dockerfiles/Dockerfile_test_workdir create mode 100644 integration_tests/dockerfiles/config_test_workdir.json create mode 100644 pkg/commands/workdir.go create mode 100644 pkg/commands/workdir_test.go diff --git a/integration_tests/dockerfiles/Dockerfile_test_workdir b/integration_tests/dockerfiles/Dockerfile_test_workdir new file mode 100644 index 000000000..4fa6b6143 --- /dev/null +++ b/integration_tests/dockerfiles/Dockerfile_test_workdir @@ -0,0 +1,10 @@ +FROM gcr.io/google-appengine/debian9:latest +COPY context/foo foo +WORKDIR /test +WORKDIR workdir +COPY context/foo . +RUN cp foo newfoo +WORKDIR /new/dir +ENV dir /another/new/dir +WORKDIR $dir/newdir +WORKDIR / diff --git a/integration_tests/dockerfiles/config_test_workdir.json b/integration_tests/dockerfiles/config_test_workdir.json new file mode 100644 index 000000000..c87503403 --- /dev/null +++ b/integration_tests/dockerfiles/config_test_workdir.json @@ -0,0 +1,12 @@ +[ + { + "Image1": "gcr.io/kbuild-test/docker-test-workdir:latest", + "Image2": "gcr.io/kbuild-test/kbuild-test-workdir:latest", + "DiffType": "File", + "Diff": { + "Adds": null, + "Dels": null, + "Mods": null + } + } +] \ No newline at end of file diff --git a/integration_tests/integration_test_yaml.go b/integration_tests/integration_test_yaml.go index e81d4269d..1a91eb54d 100644 --- a/integration_tests/integration_test_yaml.go +++ b/integration_tests/integration_test_yaml.go @@ -29,33 +29,40 @@ var fileTests = []struct { context string repo string }{ + // { + // description: "test extract filesystem", + // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_extract_fs", + // configPath: "/workspace/integration_tests/dockerfiles/config_test_extract_fs.json", + // context: "integration_tests/dockerfiles/", + // repo: "extract-filesystem", + // }, + // { + // description: "test run", + // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run", + // configPath: "/workspace/integration_tests/dockerfiles/config_test_run.json", + // context: "integration_tests/dockerfiles/", + // repo: "test-run", + // }, + // { + // description: "test run no files changed", + // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run_2", + // configPath: "/workspace/integration_tests/dockerfiles/config_test_run_2.json", + // context: "integration_tests/dockerfiles/", + // repo: "test-run-2", + // }, + // { + // description: "test copy", + // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_copy", + // configPath: "/workspace/integration_tests/dockerfiles/config_test_copy.json", + // context: "/workspace/integration_tests/", + // repo: "test-copy", + // }, { - description: "test extract filesystem", - dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_extract_fs", - configPath: "/workspace/integration_tests/dockerfiles/config_test_extract_fs.json", - context: "integration_tests/dockerfiles/", - repo: "extract-filesystem", - }, - { - description: "test run", - dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run", - configPath: "/workspace/integration_tests/dockerfiles/config_test_run.json", - context: "integration_tests/dockerfiles/", - repo: "test-run", - }, - { - description: "test run no files changed", - dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run_2", - configPath: "/workspace/integration_tests/dockerfiles/config_test_run_2.json", - context: "integration_tests/dockerfiles/", - repo: "test-run-2", - }, - { - description: "test copy", - dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_copy", - configPath: "/workspace/integration_tests/dockerfiles/config_test_copy.json", + description: "test workdir", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_workdir", + configPath: "/workspace/integration_tests/dockerfiles/config_test_workdir.json", context: "/workspace/integration_tests/", - repo: "test-copy", + repo: "test-workdir", }, } @@ -66,13 +73,13 @@ var structureTests = []struct { dockerBuildContext string repo string }{ - { - description: "test env", - dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_env", - repo: "test-env", - dockerBuildContext: "/workspace/integration_tests/dockerfiles/", - structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_env.yaml", - }, + // { + // description: "test env", + // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_env", + // repo: "test-env", + // dockerBuildContext: "/workspace/integration_tests/dockerfiles/", + // structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_env.yaml", + // }, } type step struct { diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go index 8f6b6a8cc..7e10f64be 100644 --- a/pkg/commands/commands.go +++ b/pkg/commands/commands.go @@ -44,6 +44,8 @@ func GetCommand(cmd instructions.Command, buildcontext string) (DockerCommand, e return &ExposeCommand{cmd: c}, nil case *instructions.EnvCommand: return &EnvCommand{cmd: c}, nil + case *instructions.WorkdirCommand: + return &WorkdirCommand{cmd: c}, nil } return nil, errors.Errorf("%s is not a supported command", cmd.Name()) } diff --git a/pkg/commands/run.go b/pkg/commands/run.go index b08cf8800..b6aa2b19c 100644 --- a/pkg/commands/run.go +++ b/pkg/commands/run.go @@ -44,6 +44,7 @@ func (r *RunCommand) ExecuteCommand(config *manifest.Schema2Config) error { logrus.Infof("args: %s", newCommand[1:]) cmd := exec.Command(newCommand[0], newCommand[1:]...) + cmd.Dir = config.WorkingDir cmd.Stdout = os.Stdout return cmd.Run() } diff --git a/pkg/commands/workdir.go b/pkg/commands/workdir.go new file mode 100644 index 000000000..276abec22 --- /dev/null +++ b/pkg/commands/workdir.go @@ -0,0 +1,64 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/pkg/util" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "github.com/sirupsen/logrus" + "os" + "path/filepath" + "strings" +) + +type WorkdirCommand struct { + cmd *instructions.WorkdirCommand + snapshotFiles []string +} + +func (w *WorkdirCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: workdir") + workdirPath := w.cmd.Path + resolvedWorkingDir, err := util.ResolveEnvironmentReplacement(w.workdirToString(), workdirPath, config.Env, true) + if err != nil { + return err + } + if filepath.IsAbs(resolvedWorkingDir) { + config.WorkingDir = resolvedWorkingDir + } else { + config.WorkingDir = filepath.Join(config.WorkingDir, resolvedWorkingDir) + } + logrus.Infof("Changed working directory to %s", config.WorkingDir) + w.snapshotFiles = []string{config.WorkingDir} + return os.MkdirAll(config.WorkingDir, 0755) +} + +func (w *WorkdirCommand) workdirToString() string { + workdir := []string{"WORKDIR"} + return strings.Join(append(workdir, w.cmd.Path), " ") +} + +// FilesToSnapshot returns the workingdir, which should have been created if it didn't already exist +func (w *WorkdirCommand) FilesToSnapshot() []string { + return w.snapshotFiles +} + +// CreatedBy returns some information about the command for the image config history +func (w *WorkdirCommand) CreatedBy() string { + return w.cmd.Name() + " " + w.cmd.Path +} diff --git a/pkg/commands/workdir_test.go b/pkg/commands/workdir_test.go new file mode 100644 index 000000000..3225980c6 --- /dev/null +++ b/pkg/commands/workdir_test.go @@ -0,0 +1,79 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/testutil" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "testing" +) + +var workdirTests = []struct { + path string + expectedPath string +}{ + { + path: "/a", + expectedPath: "/a", + }, + { + path: "b", + expectedPath: "/a/b", + }, + { + path: "c", + expectedPath: "/a/b/c", + }, + { + path: "/d", + expectedPath: "/d", + }, + { + path: "$path", + expectedPath: "/d/usr", + }, + { + path: "$home", + expectedPath: "/root", + }, + { + path: "$path/$home", + expectedPath: "/root/usr/root", + }, +} + +func TestWorkdirCommand(t *testing.T) { + + cfg := &manifest.Schema2Config{ + WorkingDir: "/", + Env: []string{ + "path=usr/", + "home=/root", + }, + } + + for _, test := range workdirTests { + cmd := WorkdirCommand{ + cmd: &instructions.WorkdirCommand{ + Path: test.path, + }, + snapshotFiles: []string{}, + } + cmd.ExecuteCommand(cfg) + testutil.CheckErrorAndDeepEqual(t, false, nil, test.expectedPath, cfg.WorkingDir) + } +} From 27c3c319b04e299cda9af5027e37584c4d8bee55 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Mon, 26 Mar 2018 10:52:37 -0700 Subject: [PATCH 02/10] Add a script to run the executor in a Docker container locally. Also force GOOS=linux for the executor. It doesn't make sense to cross compile that. --- Makefile | 2 +- run_in_docker.sh | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100755 run_in_docker.sh diff --git a/Makefile b/Makefile index 1694112bf..86e38cc92 100644 --- a/Makefile +++ b/Makefile @@ -35,7 +35,7 @@ EXECUTOR_PACKAGE = $(REPOPATH)/executor KBUILD_PACKAGE = $(REPOPATH)/kbuild out/executor: $(GO_FILES) - GOOS=$* GOARCH=$(GOARCH) CGO_ENABLED=0 go build -ldflags $(GO_LDFLAGS) -tags $(GO_BUILD_TAGS) -o $@ $(EXECUTOR_PACKAGE) + GOARCH=$(GOARCH) GOOS=linux CGO_ENABLED=0 go build -ldflags $(GO_LDFLAGS) -tags $(GO_BUILD_TAGS) -o $@ $(EXECUTOR_PACKAGE) out/kbuild: $(GO_FILES) diff --git a/run_in_docker.sh b/run_in_docker.sh new file mode 100755 index 000000000..50a0ca33f --- /dev/null +++ b/run_in_docker.sh @@ -0,0 +1,35 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#!/bin/bash +set -e + +if [ $# -ne 2 ]; + then echo "Usage: run_in_docker.sh " +fi + + +context=$1 +tag=$2 + +if [[ ! -e $HOME/.config/gcloud/application_default_credentials.json ]]; then + echo "Application Default Credentials do not exist. Run [gcloud auth application-default login] to configure them" + exit 1 +fi + +docker run \ + -v $HOME/.config/gcloud:/root/.config/gcloud \ + -v ${context}:/workspace \ + gcr.io/kbuild-project/executor:latest \ + /kbuild/executor -d ${tag} From a5a84ed552f460d80ef62a9679fdabe8b9eb0d76 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 26 Mar 2018 11:38:02 -0700 Subject: [PATCH 03/10] workdir integration test --- .../dockerfiles/Dockerfile_test_workdir | 9 ++- integration_tests/integration_test_yaml.go | 70 +++++++++---------- 2 files changed, 41 insertions(+), 38 deletions(-) diff --git a/integration_tests/dockerfiles/Dockerfile_test_workdir b/integration_tests/dockerfiles/Dockerfile_test_workdir index 4fa6b6143..6c89e4c11 100644 --- a/integration_tests/dockerfiles/Dockerfile_test_workdir +++ b/integration_tests/dockerfiles/Dockerfile_test_workdir @@ -1,10 +1,13 @@ FROM gcr.io/google-appengine/debian9:latest COPY context/foo foo WORKDIR /test -WORKDIR workdir -COPY context/foo . -RUN cp foo newfoo +# Test that this will be appended on to the previous command, to create /test/workdir +WORKDIR workdir +COPY context/foo ./currentfoo +# Test that the RUN command will happen in the correct directory +RUN cp currentfoo newfoo WORKDIR /new/dir ENV dir /another/new/dir WORKDIR $dir/newdir +WORKDIR $dir/$doesntexist WORKDIR / diff --git a/integration_tests/integration_test_yaml.go b/integration_tests/integration_test_yaml.go index 1a91eb54d..cda55ac61 100644 --- a/integration_tests/integration_test_yaml.go +++ b/integration_tests/integration_test_yaml.go @@ -29,34 +29,34 @@ var fileTests = []struct { context string repo string }{ - // { - // description: "test extract filesystem", - // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_extract_fs", - // configPath: "/workspace/integration_tests/dockerfiles/config_test_extract_fs.json", - // context: "integration_tests/dockerfiles/", - // repo: "extract-filesystem", - // }, - // { - // description: "test run", - // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run", - // configPath: "/workspace/integration_tests/dockerfiles/config_test_run.json", - // context: "integration_tests/dockerfiles/", - // repo: "test-run", - // }, - // { - // description: "test run no files changed", - // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run_2", - // configPath: "/workspace/integration_tests/dockerfiles/config_test_run_2.json", - // context: "integration_tests/dockerfiles/", - // repo: "test-run-2", - // }, - // { - // description: "test copy", - // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_copy", - // configPath: "/workspace/integration_tests/dockerfiles/config_test_copy.json", - // context: "/workspace/integration_tests/", - // repo: "test-copy", - // }, + { + description: "test extract filesystem", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_extract_fs", + configPath: "/workspace/integration_tests/dockerfiles/config_test_extract_fs.json", + context: "integration_tests/dockerfiles/", + repo: "extract-filesystem", + }, + { + description: "test run", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run", + configPath: "/workspace/integration_tests/dockerfiles/config_test_run.json", + context: "integration_tests/dockerfiles/", + repo: "test-run", + }, + { + description: "test run no files changed", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_run_2", + configPath: "/workspace/integration_tests/dockerfiles/config_test_run_2.json", + context: "integration_tests/dockerfiles/", + repo: "test-run-2", + }, + { + description: "test copy", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_copy", + configPath: "/workspace/integration_tests/dockerfiles/config_test_copy.json", + context: "/workspace/integration_tests/", + repo: "test-copy", + }, { description: "test workdir", dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_workdir", @@ -73,13 +73,13 @@ var structureTests = []struct { dockerBuildContext string repo string }{ - // { - // description: "test env", - // dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_env", - // repo: "test-env", - // dockerBuildContext: "/workspace/integration_tests/dockerfiles/", - // structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_env.yaml", - // }, + { + description: "test env", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_env", + repo: "test-env", + dockerBuildContext: "/workspace/integration_tests/dockerfiles/", + structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_env.yaml", + }, } type step struct { From 54a53489b21bf3a1068203d347e45c61894e284f Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Mon, 26 Mar 2018 16:56:28 -0700 Subject: [PATCH 04/10] Added comment to unit test --- pkg/commands/workdir_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/commands/workdir_test.go b/pkg/commands/workdir_test.go index 3225980c6..439d77fd5 100644 --- a/pkg/commands/workdir_test.go +++ b/pkg/commands/workdir_test.go @@ -22,6 +22,10 @@ import ( "testing" ) +// Each test here changes the same WorkingDir field in the config +// So, some of the tests build off of each other +// This is needed to make sure WorkingDir handles paths correctly +// For example, if WORKDIR specifies a non-absolute path, it should be appended to the current WORKDIR var workdirTests = []struct { path string expectedPath string From ad17811c39cee21676f7291c973a4d0017f18b1b Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Tue, 27 Mar 2018 15:15:55 -0700 Subject: [PATCH 05/10] Update workdir to use default escape token --- pkg/commands/workdir.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkg/commands/workdir.go b/pkg/commands/workdir.go index 276abec22..f249608ac 100644 --- a/pkg/commands/workdir.go +++ b/pkg/commands/workdir.go @@ -23,7 +23,6 @@ import ( "github.com/sirupsen/logrus" "os" "path/filepath" - "strings" ) type WorkdirCommand struct { @@ -34,7 +33,7 @@ type WorkdirCommand struct { func (w *WorkdirCommand) ExecuteCommand(config *manifest.Schema2Config) error { logrus.Info("cmd: workdir") workdirPath := w.cmd.Path - resolvedWorkingDir, err := util.ResolveEnvironmentReplacement(w.workdirToString(), workdirPath, config.Env, true) + resolvedWorkingDir, err := util.ResolveEnvironmentReplacement(workdirPath, config.Env, true) if err != nil { return err } @@ -48,11 +47,6 @@ func (w *WorkdirCommand) ExecuteCommand(config *manifest.Schema2Config) error { return os.MkdirAll(config.WorkingDir, 0755) } -func (w *WorkdirCommand) workdirToString() string { - workdir := []string{"WORKDIR"} - return strings.Join(append(workdir, w.cmd.Path), " ") -} - // FilesToSnapshot returns the workingdir, which should have been created if it didn't already exist func (w *WorkdirCommand) FilesToSnapshot() []string { return w.snapshotFiles From bc78e2b83887eef53d55a8726b9a30bf78bf5014 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 11:53:31 -0700 Subject: [PATCH 06/10] adding USER command --- .../dockerfiles/Dockerfile_test_user_run | 19 +++++ integration_tests/dockerfiles/test_user.yaml | 15 ++++ integration_tests/integration_test_yaml.go | 7 ++ pkg/commands/expose.go | 1 + pkg/commands/label.go | 1 + pkg/commands/run.go | 22 +++++ pkg/commands/user.go | 79 ++++++++++++++++++ pkg/commands/user_test.go | 83 +++++++++++++++++++ 8 files changed, 227 insertions(+) create mode 100644 integration_tests/dockerfiles/Dockerfile_test_user_run create mode 100644 integration_tests/dockerfiles/test_user.yaml create mode 100644 pkg/commands/user.go create mode 100644 pkg/commands/user_test.go diff --git a/integration_tests/dockerfiles/Dockerfile_test_user_run b/integration_tests/dockerfiles/Dockerfile_test_user_run new file mode 100644 index 000000000..2c58a6b7a --- /dev/null +++ b/integration_tests/dockerfiles/Dockerfile_test_user_run @@ -0,0 +1,19 @@ +# Copyright 2018 Google, Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/google-appengine/debian9 +RUN useradd testuser +RUN groupadd testgroup +USER testuser:testgroup +RUN echo "hey" > /etc/foo diff --git a/integration_tests/dockerfiles/test_user.yaml b/integration_tests/dockerfiles/test_user.yaml new file mode 100644 index 000000000..9a4bed1dc --- /dev/null +++ b/integration_tests/dockerfiles/test_user.yaml @@ -0,0 +1,15 @@ +schemaVersion: '2.0.0' +commandTests: +- name: 'whoami' + command: 'whoami' + expectedOutput: ['testuser'] + excludedOutput: ['root'] +- name: 'file owner' + command: 'ls' + args: ['-l', '/tmp/foo'] + expectedOutput: ['.*testuser.*', '.*testgroup.*'] + excludedOutput: ['.*root.*'] +fileContentTests: +- name: "/tmp/foo" + path: "/tmp/foo" + expectedContent: ["hey"] diff --git a/integration_tests/integration_test_yaml.go b/integration_tests/integration_test_yaml.go index 3129456ff..36c53d84d 100644 --- a/integration_tests/integration_test_yaml.go +++ b/integration_tests/integration_test_yaml.go @@ -80,6 +80,13 @@ var structureTests = []struct { dockerBuildContext: "/workspace/integration_tests/dockerfiles/", structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_metadata.yaml", }, + { + description: "test user command", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_user_run", + repo: "test-user", + dockerBuildContext: "/workspace/integration_tests/dockerfiles/", + structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_user.yaml", + }, } type step struct { diff --git a/pkg/commands/expose.go b/pkg/commands/expose.go index fa12ec110..fc9d6fe75 100644 --- a/pkg/commands/expose.go +++ b/pkg/commands/expose.go @@ -30,6 +30,7 @@ type ExposeCommand struct { } func (r *ExposeCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: EXPOSE") // Grab the currently exposed ports existingPorts := config.ExposedPorts // Add any new ones in diff --git a/pkg/commands/label.go b/pkg/commands/label.go index 3cf8896db..81b9bab56 100644 --- a/pkg/commands/label.go +++ b/pkg/commands/label.go @@ -29,6 +29,7 @@ type LabelCommand struct { } func (r *LabelCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: LABEL") return updateLabels(r.cmd.Labels, config) } diff --git a/pkg/commands/run.go b/pkg/commands/run.go index b08cf8800..b7e59bae8 100644 --- a/pkg/commands/run.go +++ b/pkg/commands/run.go @@ -22,7 +22,9 @@ import ( "github.com/sirupsen/logrus" "os" "os/exec" + "strconv" "strings" + "syscall" ) type RunCommand struct { @@ -45,6 +47,26 @@ func (r *RunCommand) ExecuteCommand(config *manifest.Schema2Config) error { cmd := exec.Command(newCommand[0], newCommand[1:]...) cmd.Stdout = os.Stdout + // If specified, run the command as a specific user + if config.User != "" { + userAndGroup := strings.Split(config.User, ":") + // uid and gid need to be uint32 + uid64, err := strconv.ParseUint(userAndGroup[0], 10, 32) + if err != nil { + return err + } + uid := uint32(uid64) + var gid uint32 + if len(userAndGroup) > 1 { + gid64, err := strconv.ParseUint(userAndGroup[1], 10, 32) + if err != nil { + return err + } + gid = uint32(gid64) + } + cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid} + } return cmd.Run() } diff --git a/pkg/commands/user.go b/pkg/commands/user.go new file mode 100644 index 000000000..b207eaf38 --- /dev/null +++ b/pkg/commands/user.go @@ -0,0 +1,79 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commands + +import ( + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "github.com/sirupsen/logrus" + "os/user" + "strings" +) + +type UserCommand struct { + cmd *instructions.UserCommand +} + +func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: USER") + u := r.cmd.User + userAndGroup := strings.Split(u, ":") + userStr := userAndGroup[0] + var groupStr string + if len(userAndGroup) > 1 { + groupStr = userAndGroup[1] + } + + // Lookup by username + userObj, err := user.Lookup(userStr) + if err != nil { + if _, ok := err.(user.UnknownUserError); ok { + // Lookup by id + userObj, err = user.LookupId(userStr) + if err != nil { + return err + } + } else { + return err + } + } + + // Same dance with groups + var group *user.Group + if groupStr != "" { + group, err = user.LookupGroup(groupStr) + if err != nil { + if _, ok := err.(user.UnknownGroupError); ok { + group, err = user.LookupGroupId(groupStr) + if err != nil { + return err + } + } else { + return err + } + } + } + + uid := userObj.Uid + if group != nil { + uid = uid + ":" + group.Gid + } + + logrus.Infof("Setting user to %s", uid) + config.User = uid + return nil +} diff --git a/pkg/commands/user_test.go b/pkg/commands/user_test.go new file mode 100644 index 000000000..fb5641939 --- /dev/null +++ b/pkg/commands/user_test.go @@ -0,0 +1,83 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/testutil" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "testing" +) + +var userTests = []struct { + user string + expectedUid string + shouldError bool +}{ + { + user: "root", + expectedUid: "0", + shouldError: false, + }, + { + user: "0", + expectedUid: "0", + shouldError: false, + }, + { + user: "fakeUser", + expectedUid: "", + shouldError: true, + }, + { + user: "root:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:fakeGroup", + expectedUid: "", + shouldError: true, + }, +} + +func TestUpdateUser(t *testing.T) { + for _, test := range userTests { + cfg := &manifest.Schema2Config{} + cmd := UserCommand{ + &instructions.UserCommand{ + User: test.user, + }, + } + err := cmd.ExecuteCommand(cfg) + testutil.CheckErrorAndDeepEqual(t, test.shouldError, err, test.expectedUid, cfg.User) + } +} From b315cf104966cccdbab857b74e5c1f0bd7662fa6 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 11:54:51 -0700 Subject: [PATCH 07/10] adding user command to switch --- pkg/commands/commands.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go index 08fa3ceb1..0c4eef17d 100644 --- a/pkg/commands/commands.go +++ b/pkg/commands/commands.go @@ -50,6 +50,8 @@ func GetCommand(cmd instructions.Command, buildcontext string) (DockerCommand, e return &EntrypointCommand{cmd: c}, nil case *instructions.LabelCommand: return &LabelCommand{cmd: c}, nil + case *instructions.UserCommand: + return &UserCommand{cmd: c}, nil } return nil, errors.Errorf("%s is not a supported command", cmd.Name()) } From abc85905c0eadeae8dc5c4990ecd29fb51d1f4ac Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 12:54:00 -0700 Subject: [PATCH 08/10] adding necessary functions --- pkg/commands/user.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/commands/user.go b/pkg/commands/user.go index b207eaf38..ae5a9e4e9 100644 --- a/pkg/commands/user.go +++ b/pkg/commands/user.go @@ -77,3 +77,12 @@ func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { config.User = uid return nil } + +func (r *UserCommand) FilesToSnapshot() []string { + return []string{} +} + +func (r *UserCommand) CreatedBy() string { + s := []string{r.cmd.Name(), r.cmd.User} + return strings.Join(s, " ") +} From 7ae8f35eb95a897e3990df9726cf32c785743291 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 13:35:37 -0700 Subject: [PATCH 09/10] write to /tmp --- integration_tests/dockerfiles/Dockerfile_test_user_run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration_tests/dockerfiles/Dockerfile_test_user_run b/integration_tests/dockerfiles/Dockerfile_test_user_run index 2c58a6b7a..a71fb535e 100644 --- a/integration_tests/dockerfiles/Dockerfile_test_user_run +++ b/integration_tests/dockerfiles/Dockerfile_test_user_run @@ -16,4 +16,4 @@ FROM gcr.io/google-appengine/debian9 RUN useradd testuser RUN groupadd testgroup USER testuser:testgroup -RUN echo "hey" > /etc/foo +RUN echo "hey" > /tmp/foo From da0231a4d1cd6d18181328d4fb1754692614d5c5 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Fri, 30 Mar 2018 10:13:35 -0700 Subject: [PATCH 10/10] adding support of env variable replacement --- pkg/commands/user.go | 11 +++++++++-- pkg/commands/user_test.go | 17 ++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/pkg/commands/user.go b/pkg/commands/user.go index ae5a9e4e9..d2e4cff61 100644 --- a/pkg/commands/user.go +++ b/pkg/commands/user.go @@ -17,6 +17,7 @@ limitations under the License. package commands import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/pkg/util" "github.com/containers/image/manifest" "github.com/docker/docker/builder/dockerfile/instructions" "github.com/sirupsen/logrus" @@ -32,10 +33,16 @@ func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { logrus.Info("cmd: USER") u := r.cmd.User userAndGroup := strings.Split(u, ":") - userStr := userAndGroup[0] + userStr, err := util.ResolveEnvironmentReplacement(userAndGroup[0], config.Env, false) + if err != nil { + return err + } var groupStr string if len(userAndGroup) > 1 { - groupStr = userAndGroup[1] + groupStr, err = util.ResolveEnvironmentReplacement(userAndGroup[1], config.Env, false) + if err != nil { + return err + } } // Lookup by username diff --git a/pkg/commands/user_test.go b/pkg/commands/user_test.go index fb5641939..c1ebe0ab2 100644 --- a/pkg/commands/user_test.go +++ b/pkg/commands/user_test.go @@ -67,11 +67,26 @@ var userTests = []struct { expectedUid: "", shouldError: true, }, + { + user: "$envuser", + expectedUid: "0", + shouldError: false, + }, + { + user: "root:$envgroup", + expectedUid: "0:0", + shouldError: false, + }, } func TestUpdateUser(t *testing.T) { for _, test := range userTests { - cfg := &manifest.Schema2Config{} + cfg := &manifest.Schema2Config{ + Env: []string{ + "envuser=root", + "envgroup=root", + }, + } cmd := UserCommand{ &instructions.UserCommand{ User: test.user,